How to check the IPsec tunnels are still being used or not?

jayjz · ‎01-24-2023

Hello, I have a whole bunch of tunnels configured via ASA5510.

I can see all the active tunnels/count of active tunnels using: show vpn-sessiondb summary.

My question is.. how do I find out if any of the tunnels are still being used or when they were last used?

We are migrating data centers and I am trying to figure out which of the tunnels need to be moved to the new DC.

MHM Cisco World · ‎01-24-2023

ASA# show vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection : 1.1.1.1 Index : 312 IP Addr : 1.1.1.1 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)3DES IPsec: (1)3DES Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 18999 Bytes Rx : 26267 Login Time : 14:20:36 UTC Mon Sep 30 2013 Duration : xh:xm:xs

IKEv1: Tunnel ID : 312.1 UDP Src Port : 500 UDP Dst Port : 500 IKE Neg Mode : Main Auth Mode : preSharedKeys Encryption : 3DES Hashing : SHA1 Rekey Int (T): 86400 Seconds Rekey Left(T): 84425 Seconds D/H Group : 2 Filter Name : IPv6 Filter :

IPsec: Tunnel ID : 312.2 Local Addr : 10.254.254.0/255.255.255.0/0/0 Remote Addr : 172.16.254.0/255.255.255.0/0/0 Encryption : 3DES Hashing : SHA1 Encapsulation: Tunnel PFS Group : 2 Rekey Int (T): 28800 Seconds Rekey Left(T): 26825 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607975 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : x Minutes Bytes Tx : 18999 Bytes Rx : 26267 Pkts Tx : 94 Pkts Rx : 114

NAC: Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds SQ Int (T) : 0 Seconds EoU Age(T) : 2000 Seconds Hold Left (T): 0 Seconds Posture Token: Redirect URL :

jayjz · ‎01-25-2023

Hi MHM Cisco World, is there a way to check when a inactive tunnel was last used?

For example:

1. using the command ASA#show vpn-sessiondb detail l2l , shows only the active tunnels and their information.

2. when I look up the same firewall on CSM, it shows more tunnels. Is it possible to see historical data or atleast when was the last time for the tunnels that are not active?

In the picure below:

"S2S-BIL-PI", is active and I can see the infromation on CLI using ASA#show vpn-sessiondb detail l2l . But "S2S-BIL-RO" does not show up via the above command and I want to check when it was last used/active.

MHM Cisco World · ‎01-25-2023

not only active, inactive also,
Idle TO Left <<- this indicate that the tunnel is inactive for this time when this time is more than idle timeout the tunnel will be remove from ASA sessiondb.

Rob Ingram · ‎01-24-2023

@jayjz if you are using an ASA 5510 then you are using a policy based VPN, which requires traffic being sent/received for the tunnel to be established. Therefore if there is an active tunnel with IPSec SAs established, the tunnel is in use, with the encap|decap counters increasing.

If there is no traffic being sent/received a tunnel would not be established and no IPSec SA established. So workout which tunnels are not established, this would indicate any likely unused tunnels.

jayjz · ‎01-25-2023

Hi Rob, is there a way to check when a tunnel was last used?

For example:

1. using the command ASA#show vpn-sessiondb detail l2l , shows only the active tunnels and their information.

2. when I look up the same firewall on CSM, it shows more tunnels. Is it possible to see historical data or atleast when was the last time for the tunnels that are not active?

In the picure below:

"S2S-BIL-PI", is active and I can see the infromation on CLI using ASA#show vpn-sessiondb detail l2l . But "S2S-BIL-RO" does not show up via the above command and I want to check when it was last used/active.